Now that we know whom to regulate—database owners holding linkable or sensitive data (PII) and large entropy reducers—we turn to the content of regulation. How should regulators respond to the power of reidentification and the collapse of our faith in anonymization? Before we turn to a list of factors that will guide us to the proper regulation, we need to understand some overarching principles. This step is necessary because so much of how we regu-late privacy depends on our faith in anonymization; stripped of this faith, we need to reevaluate some core principles.
1. From Math to Sociology
Regulators need to shift away from thinking about regulation, privacy, and risk only from the point of view of the data, asking whether a particular field of data viewed in a vacuum is identifiable. Instead, regulators must ask a broader set of questions that help reveal the risk of reidentification and threat of harm. They should ask, for example, what has the data administrator done to reduce the risk of reidentification? Who will try to invade the privacy of the people in the data, and are they likely to succeed? Do the history, practices, traditions, and structural features of the industry or sector instill particular confidence or doubt about the likelihood of privacy?
Notice that while the old approach centered almost entirely on tech-nological questions—it was math and statistics all the way down—the new inquiry is cast also in sociological, psychological, and institutional terms.
Because easy reidentification has taken away purely technological solutions that worked irrespective of these messier, human considerations, it follows that new solutions must explore, at least in part, the messiness.287
287. See Chawla et al., supra note 253, at 367 (noting that the relative advantage of one interactive technique is that “the real data can be deleted or locked in a vault, and so may be less vulnerable to bribery of the database administrator”).
2. Support for Both Comprehensive and Contextual Regulation
The failure of anonymization will complicate one of the longest-running debates in information privacy law: Should regulators enact comprehensive, cross-industry privacy reform, or should they instead tailor specific regulations to specific sectors?288 Usually, these competing choices are labeled, respectively, the European and United States approaches. In a postanonymization world, neither approach is sufficient alone: We need to focus on particular risks arising from specific sectors because it is difficult to balance interests compre-hensively without relying on anonymization. On the other hand, we need a comprehensive regulation that sets a floor of privacy protection because ano-nymization permits easy access to the database of ruin. In aiming for both general and specific solutions, this recommendation echoes Dan Solove, who cautions that privacy should be addressed neither too specifically nor too generally.289 Solove says that we should simultaneously “resolve privacy issues by looking to the specific context,”290 while at the same time using “a general framework to identify privacy harms or problems and to understand why they are problematic.”291
Thus, the U.S.’s exclusively sectoral approach is flawed, because it allows entire industries to escape privacy regulation completely based on the illusion that some data, harmless data, data in the middle of long chains of inferences leading to harm, is so bland and nonthreatening that it is not likely to lead to harm if it falls into the wrong hands. The principle of accretive reidentification shatters this illusion. Data almost always forms the middle link in chains of inferences, and any release of data brings us at least a little closer to our personal databases of ruin. For this reason, there is an urgent need for compre-hensive privacy reform in this country. A law should mandate a minimum floor of safe data-handling practices on every data handler in the U.S. Further, it should require even stricter data-handling practices for every large entropy reducer in the U.S.
But on the other hand, the European approach—and specifically the approach the EU has taken in the Data Protection Directive—sets the height of this floor too high. Many observers have complained about the onerous
288. See, e.g., Schwartz, supra note 162, at 908–16 (discussing history of sectoral and comprehen-sive approaches to privacy law).
289. DANIEL J.SOLOVE, UNDERSTANDING PRIVACY 46–49 (2008).
290. Id. at 48.
291. Id. at 49.
obligations of the Directive.292 It might have made good sense to impose such strict requirements (notice, consent, disclosure, accountability) on data admin-istrators when we still believed in the power of anonymization because the law left the administrators with a fair choice: Anonymize your data to escape these burdens or keep your data identifiable and comply.
But as we have seen, easy reidentification has mostly taken away this choice, thereby broadening the reach of the Directive considerably. Today, the EU hounds Google about IP addresses; tomorrow, it can make similar arguments about virtually any data-possessing company or industry. A European privacy regulator can reasonably argue that any database containing facts (no matter how well scrubbed) relating to people (no matter how indi-rectly) very likely now falls within the Directive. It can impose the obligations of the Directive even on those who maintain databases that contain nothing that a layperson would recognize as relating to an individual, so long as the data contains idiosyncratic facts about the lives of individuals.
I suspect that some of those who originally supported the Directive might feel differently about a Directive that essentially provides no exception for scrubbed data—a Directive covering most of the data in society. The Directive’s aggressive data-handling obligations might have seemed to strike the proper balance between information flow and privacy when we thought that they were restricted to “personal data,” but once reidentification science redefines “personal data” to include almost all data, the obligations of the Directive might seem too burdensome. For these reasons, the European Union might want to reconsider whether it should lower the floor of its compre-hensive data-handling obligations.
Finally, once the U.S. tackles comprehensive privacy reform and the EU lowers the burdens of the directive, both governments should expand the process of imposing heightened privacy regulations on particular sectors.
What might be needed above the comprehensive floor for health records may not be needed for phone records, and what might solve the problems of private data release probably will not work for public releases.293 This approach borrows from Helen Nissenbaum, who urges us to understand privacy through what she calls “contextual integrity,” which “couches its prescriptions always within the bounds of a given context” as better than other “universal”
292. E.g., DOROTHEE HEISENBERG, NEGOTIATING PRIVACY:THE EUROPEAN UNION,THE UNITED STATES AND PERSONAL DATA PROTECTION 29, 30 (2005) (calling parts of the Directive “quite strict” and “overly complex and burdensome”).
293. Cf. infra Part IV.D (discussing specific rules for health privacy and search engine privacy contexts).
accounts.294 This approach also stands in stark contrast to the advice of other information privacy scholars and activists, who tend to valorize sweeping, society-wide approaches to protecting privacy and say nothing complimentary about the U.S.’s sectoral approach.
What easy reidentification thus demands is a combination of compre-hensive data-protection regulation and targeted, enhanced obligations for specific sectors. Many others have laid out the persuasive case for a compre-hensive data privacy law in the United States, so I refer the reader elsewhere for that topic.295 The rest of the Article explores how to design sector-specific data privacy laws, now that we can no longer lean upon the crutch of robust anonymization to give us balance. What does a post-anonymization privacy law look like?